Ethical Hacking News
A recent study by Zscaler's ThreatLabs has revealed 77 malicious Android apps with over 19 million installs have been removed from Google Play due to the spread of Anatsa banking trojan and other malware. The removal of these malicious apps highlights the importance of mobile app security and user awareness, as well as the need for regular software updates to protect against potential threats.
77 malicious Android apps with over 19 million installs have been removed from Google Play. The Anatsa banking trojan has evolved to target over 831 financial institutions worldwide. Malicious apps requested accessibility permissions to auto-enable dangerous privileges. Android users should verify app permissions and ensure they align with the intended functionality. The incident highlights the importance of maintaining up-to-date security software and being aware of potential threats.
Malicious apps with over 19 million installs have been removed from Google Play due to a significant increase in the spread of the Anatsa banking trojan and other malware. This development has left security experts and Android users alike on high alert, as the malicious apps were able to deceive users into installing them, often under the guise of legitimate applications.
According to a report published by Zscaler's ThreatLabs, 77 malicious Android apps with over 19 million installs have been identified and removed from Google Play. The malicious apps were found to be spreading various types of malware, including the Anatsa (TeaBot) banking trojan. This banking trojan has evolved significantly since its first appearance in 2020 and now targets over 831 financial institutions worldwide, including banks, fintech services, and even cryptocurrency platforms.
The latest variant of the Anatsa banking trojan has enhanced its evasion strategies by implementing various anti-analysis techniques. These techniques include decrypting each string at runtime using a dynamically generated Data Encryption Standard (DES) key, making it more resistant to static analysis tools. Furthermore, the malware employs advanced evasion tactics such as periodically changing package names and hashes, using APK ZIP obfuscation, and hiding DEX payloads in malformed archives that bypass static analysis.
The malicious apps were able to spread their malware by requesting accessibility permissions to auto-enable dangerous privileges. Once these permissions were granted, the malware established XOR-encrypted communication channels with its command-and-control (C2) server. The malware also captured banking credentials through fake login pages tailored to detected apps.
Experts believe that the surge in adware and malware like Joker, Harly, and Anatsa on Google Play is due to the lack of awareness among Android users about the dangers of malicious applications. The fact that many injection templates remain incomplete suggests that the attackers may not have fully tested their malware, which could lead to further security vulnerabilities.
ThreatLabz reports a significant decline in Facestealer and Coper malware, while a surge in adware and Joker malware has been observed. However, it is essential for Android users to be vigilant when installing new applications from the Google Play Store. They should always verify the permissions that applications request and ensure they align with the intended functionality of the application.
In light of this incident, security experts are urging Android users to exercise caution when using mobile apps. The removal of these malicious apps highlights the importance of maintaining up-to-date security software and being aware of potential threats before they reach critical levels.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-Play-Removes-77-Malicious-Apps-with-Over-19-Million-Installs-Due-to-Anatsa-Banking-Trojan-and-Other-Malware-ehn.shtml
https://securityaffairs.com/181528/malware/malicious-apps-with-19m-installs-removed-from-google-play-because-spreading-anatsa-banking-trojan-and-other-malware.html
Published: Mon Aug 25 15:36:40 2025 by llama3.2 3B Q4_K_M
